Skip to main content

About support for your IdP's Conditional Access Policy

When your enterprise uses OIDC SSO, GitHub can validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP).

ID 공급자를 사용하여 엔터프라이즈의 사용자를 관리하려면 GitHub Enterprise Cloud에서 사용할 수 있는 Enterprise Managed Users에 대해 엔터프라이즈를 사용하도록 설정해야 합니다. 자세한 내용은 "Enterprise Managed Users 정보"을 참조하세요.

참고: Enterprise Managed Users에 대한 OIDC(OpenID Connect) 및 CAP(조건부 액세스 정책) 지원은 Azure AD만 사용할 수 있습니다.

About support for Conditional Access Policies

엔터프라이즈에서 OIDC SSO를 사용하는 경우 GitHub는 IdP의 CAP(조건부 액세스 정책) IP 조건을 자동으로 사용하여 멤버가 IP 주소를 변경하고, personal access token 또는 SSH 키를 사용할 때마다 GitHub와의 사용자 상호 작용 유효성을 검사합니다.

GitHub Enterprise Cloud supports CAP for any 관리되는 사용자가 있는 엔터프라이즈 where OIDC SSO is enabled. GitHub Enterprise Cloud enforces your IdP's IP conditions but cannot enforce your device compliance conditions. Enterprise owners can choose to use this IP allow list configuration instead of GitHub Enterprise Cloud's IP allow list, and can do so once OIDC SSO is configured. For more information about IP allow lists, see "IP 허용 목록을 사용하여 엔터프라이즈에 대한 네트워크 트래픽 제한" and "조직에 허용되는 IP 주소 관리."

For more information about using OIDC with Enterprise Managed Users, see "Configuring OIDC for Enterprise Managed Users" and "SAML에서 OIDC로 마이그레이션."

Considerations for integrations and automations

GitHub sends the originating IP address to your IdP for validation against your CAP. To make sure actions and apps are not blocked by your IdP's CAP, you will need to make changes to your configuration.

경고: GitHub Enterprise Importer를 사용하여 GitHub Enterprise Server 인스턴스에서 조직을 마이그레이션하는 경우 Azure AD CAP에서 제외된 서비스 계정을 사용해야 합니다. 그러지 않으면 마이그레이션이 차단될 수 있습니다.

GitHub Actions

Actions that use a personal access token will likely be blocked by your IdP's CAP. We recommend that personal access tokens are created by a service account which is then exempted from IP controls in your IdP's CAP.

If you're unable to use a service account, another option for unblocking actions that use personal access tokens is to allow the IP ranges used by GitHub Actions. For more information, see "GitHub IP 주소 정보."

GitHub Codespaces

GitHub Codespaces may not be available if your enterprise uses OIDC SSO with CAP to restrict access by IP addresses. This is because codespaces are created with dynamic IP addresses which it's likely your IdP’s CAP will block. Other CAP policies may also affect GitHub Codespaces's availability, depending on the policy's specific setup.

GitHub Apps and OAuth apps

When GitHub Apps and OAuth apps sign a user in and make requests on that user's behalf, GitHub will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail.

When GitHub Apps call GitHub APIs acting either as the app itself or as an installation, these calls are not performed on behalf of a user. Since your IdP's CAP executes and applies policies to user accounts, these application requests cannot be validated against CAP and are always allowed through. For more information on GitHub Apps authenticating as themselves or as an installation, see "GitHub 앱을 사용한 인증 정보".

You can contact the owners of the apps you want to use, ask for their IP ranges, and configure your IdP's CAP to allow access from those IP ranges. If you're unable to contact the owners, you can review your IdP sign-in logs to review the IP addresses seen in the requests, then allow-list those addresses.

If you do not wish to allow all of the IP ranges for all of your enterprise's apps, you can also exempt installed GitHub Apps and authorized OAuth apps from the IdP allow list. If you do so, these apps will continue working regardless of the originating IP address. For more information, see "엔터프라이즈에서 보안 설정에 대한 정책 적용."